More Details Emerge on Ticketmaster Breach Involving 560 Million Accounts

how did hackers breach Ticketmaster
  • Save

how did hackers breach Ticketmaster
  • Save
Photo Credit: Mikhail Fesenko

The hackers responsible for stealing terabytes of data from Ticketmaster and other customers of cloud storage firm Snowflake have detailed their process. According to one insider, the whole incident was a chain reaction from a single breach of a Belarusian contractor. Here’s the latest.

The Snowflake hack has left 165 customers like Ticketmaster cleaning up a mess after hackers breached the cloud storage firm. Other confirmed victims of this breach include banking firm Santander, Lending Tree, and Advance Auto Parts. A new blog post from Google-owned security firm Mandiant details how hackers targeted third-party contractors—without identifying them.

One of the hackers spoke with Wired and confirmed one of the firms was EPAM Systems, a publicly traded software engineering and digital services firm. It was founded by Arkadiy Dobkin and currently has revenue of around $4.8 billion. The hacker group ShinyHunters used data obtained from an EPAM employee system to gain access to the Snowflake accounts.

EPAM disputes the hackers’ story, telling Wired that it does not believe it played a significant role in the breach. ShinyHunters are a black-hat criminal hacker group who formed in 2020 and have been involved in numerous data breaches since.

Their name ‘ShinyHunters’ comes from the gaming franchise Pokemon, in which players have a rare chance to encounter a ‘shiny’ pokemon in fights. Data breaches for which the hacking group have claimed responsibility include Wattpad, Microsoft, AT&T, PlutoTV, Animal Jam, Mashable, Mathway, and Santander.

What is Snowflake?

Snowflake is a cloud data storage and analysis firm that offers tools to companies to harvest intelligence from their customer data. EPAM develops software and offers managed solutions for its customers in North America, Europe, Asia, and Australia. One of EPAM’s managed solutions is storing and analyzing data stored with Snowflake.

The hacker speaking with Wired says a computer belonging to an EPAM employee in Ukraine was infected with info-stealer malware through a spear-phishing attack. Spear-phishing is a specific type of phishing attack that targets an individual with highly personalized information with the goal of stealing access to tools on the target’s computer. Spear-phishing attacks typically have an element of social engineering to them to urge the victim to click on a malicious link or download a malicious attachment from an email.

The hacker says with access to the remote EPAM worker’s system, they installed a trojan, giving them access to everything on the computer. Using the trojan, they discovered unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts—including the Ticketmaster account. The hack was made possible because Snowflake accounts didn’t require multi-factor authentication to access them.

Ticketmaster has not directly acknowledged the hack, but parent company Live Nation confirmed data was stolen from its Snowflake account in May 2024. At the time of that announcement, Live Nation did not say how many accounts could be affected. Hackers have released a preview of the database on dark web forums, citing 560 million accounts of Ticketmaster customers is for sale on hacker forums.